HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group

The Russian threat groups that we monitor frequently cover their
tracks to evade detection. One of these groups, APT29, has been
particularly active throughout 2015, redoubling its efforts with new
downloaders, payloads, and targets. Several of our colleagues in the
security industry[1] have published research
exposing some of APT29’s recent activities.

In early 2015, we came across a backdoor, HAMMERTOSS, which is
similarlydesigned to make it difficult for security
professionals to detect and characterize the extent of APT29’s
activity. The developers of HAMMERTOSS try to avoid detection by
adding layers of obfuscation and mimicking the behavior of legitimate
users. HAMMERTOSS does this by using several commonly visited
websites—Twitter, GitHub, and cloud storage services—to relay commands
and extract data from victims.

HAMMERTOSS works by:

Retrieving commands via legitimate web services, such as
Twitter and GitHub, or using compromised web servers for command and
control (CnC),

Visiting different Twitter handles daily and
automatically,

Using timed starts—communicating only after a
specific date or only during the victim’s workweek,

Extracting information from a compromised network
and uploading files to cloud storage services.

APT29 is among the most capable groups that we track. While other
APT groups try to cover their tracks to thwart investigators, APT29
stands out. They show discipline and consistency in reducing or
eliminating forensic evidence, as well as adaptability in monitoring
and circumventing network defenders’ remediation efforts. In our
report, we describe how HAMMERTOSS functions and how it demonstrates
APT29’s capabilities.

FireEye products/services identify this activity as HAMMERTOSS
within the user interfaces.